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Abstract. Synthesis of correct by design systems from specification has 
recently attracted much attention. The theoretical results imply that this 
problem is highly intractable, e.g., synthesizing a system is 2EXPTIME- 
complete for an LTL specification, and EXPTIME-complete for a CTL 
specification. However, an argument against it is that the temporal spec- 
ification is highly compact, and the complexity reflects the large size of 
the system constructed. In that respect, the complexity should, perhaps, 
be specified relative to the size of the minimal satisfying system. A care- 
ful observation reveals that the size of the system is presented in such 
arguments as the size of its state space. This view is a bit nonstandard, 
in the sense that the state space can be exponentially larger than the 
size of a reasonable implementation such as a circuit or a program. Al- 
though this alternative measure of the size of the synthesized system is 
more intuitive (e.g., this is the standard way model checking problems 
are measured), research on synthesis has so far stayed with measuring 
the system in terms of the explicit state space. This raises the question 
of whether or not there always exists a small system. In this paper, we 
show that this is the case if, and only if, PSPACE = EXPTIME. 



1 Introduction 

While automatic verification [4, 1] has gained many algorithmic solutions and 
various successful tools, automatic synthesis of correct-by-design [2,3,11] sys- 
tems has had fewer results that have produced widely used tools. One of the 
main problems is the complexity of the synthesis problem. A classical result by 
Pnueli and Rosner [12] shows that synthesis of a system from an LTL specifi- 
cation is in 2EXPTIME-complete. It was later shown by Kupferman and Vardi 
that synthesis for CTL specifications is EXPTIME-complete [7]. A counter ar- 
gument for this complexity difficulty is that the size of the system produced by 
the synthesis procedure is typically large. Some concrete examples [6] show that 
the size of the system synthesized may be doubly exponentially larger than the 
LTL specification. This, in fact, shows that LTL specification is quite a compact 
representation of a system, rather than simply a formalism that is intrinsically 
hard for synthesis. 

As we are interested in the relationship between the specification and syn- 
thesized system, a question arises with respect to the nature of the system rep- 
resentation. The classical synthesis problem regards the system as a transition 



system with an explicit state space, and the size of this system is the num- 
ber of transitions and states. This is, to some extent, a biased measurement, 
as systems (programs, circuits with memory) often have a much more concise 
representation: it is often possible to produce a circuit or program that is ex- 
ponentially smaller than the corresponding transition system. For example, it 
is easy to produce a small program that implements an n bit binary counter, 
but a corresponding transition system requires 2™ distinct states to implement 
the same counter. Thus, we ask the question of what is the size of the minimal 
system representation in terms of the specification? 

We look at CTL and LTL, and study the relative synthesized system com- 
plexity. We focus on CTL synthesis and then show results for LTL. We choose to 
represent our systems as online Turing machines with a bounded storage tape. 
This is because there exists straightforward translations between online Turing 
machines, and the natural representations of a system, such as programs and 
circuits. Moreover, these translations produce programs and circuits that have 
comparable size to the original online Turing machine. 

Our binary-counter example showed that there are instances in which an 
online Turing machine model of a CTL formula is exponentially smaller than 
a transition system model of that formula. In this paper we ask: is this always 
the case? More precisely, for every CTL formula cf>, does there always exist an 
online Turing machine M. that models <f>, where the amount of space required 
to describe M. is polynomial in cf>? We call machines with this property small. 
Our answer to this problem is the following theorem: 

Every CTL formula has small online Turing machine model if, and only 
if, PSPACE = EXPTIME. 

Since it is widely believed that PSPACE ^ EXPTIME, the "if" direction of this 
theorem implies that it is very unlikely that all CTL formulas have small online 
Turing machine models. On the other hand, since proving that PSPACE ^ 
EXPTIME is very difficult, the "only if" direction of this theorem implies that 
it is also very difficult to find a family of CTL formulas that provably require 
super-polynomial sized models. 

Since the online Turing machine has a storage tape, after receiving an input 
it may perform many intermediate computational steps to produce the corre- 
sponding output. In particular, if is a CTL formula, then a small model of 
<fi may take exponential time in (f> to produce each output. This leads to the 
second question that we address in this paper: for each CTL formula <fr, does 
there always exist a small online Turing machine that is fast? The machine is 
fast if it always responds to each input in polynomial time. Again, our result is 
to link this question to an open problem in complexity theory: 

Every CTL formula has small online Turing machine model that is fast 
if, and only if, EXPTIME C P/poly. 

P/poly is the class of problems solvable by a polynomial-time Turing machine 
with an advice function that provides advice strings of polynomial size. It has 



2 



been shown that if EXPTIME C P/poly, then the polynomial hierarchy col- 
lapses [5]. Since our first result shows that it is already highly unlikely that 
there is always a small model, it is not too surprising that it is highly unlikely 
that there is always a small model that is fast. On the other hand, this result 
also says something stronger than our first result: we cannot even expect to find 
a family of CTL formulas that provably require either a super-polynomial sized 
model, or super-polynomial time to respond to an input. 

2 Preliminaries 

2.1 CTL Formulas 

Given a finite set 77 of atomic propositions, the syntax of a CTL formula is 
defined as follows: 

<p> ::=p | -.</> | <pV <p | Aip | Eip, 
i> ::=X4> | <j> U 4>, 

where p £ II. For each CTL formula <p we define \<j)\ to give the size of the parse 
tree for that formula. 

Let T = (V, E) be an infinite directed tree, with all edges pointing away 
from the root. Let I : V — > 2 n be a labelling function. The semantics of CTL 
are defined as follows. For each v £V we have: 

— v \= p if and only if p £ l(v). 

— v \= ->(j) if and only if v y= <p>. 

— v \= <p V ip if and only if either v \= <f> or v \= ip. 

— v \= Aip if and only if for all paths 7r starting at v we have tt \= ip. 

— v \= Exp if and only if there exists a path n starting at v with tt \= ?/>• 

Let 7r = Vi,V2, ■ ■ ■ be an infinite path in T. We have: 

— n \= Xtp if and only if v 2 \= ip- 

— tt \= <p U ip if and only if there exists i <EN such that Vi \= tp and for all j in 
the range 1 < j < i we have Vj |= (p. 

The pair (T, 1), where T is a tree and I is a labelling function, is a model of <p if 
and only if r |= <p, where reVis the root of the tree. If (T, I) is a model of <p, 
then we write T, I \= <p. 

2.2 Abstract Transition Systems 

An abstract transition system is a tuple T = (5, Si, So, T , I, start, input). The 
set S is a finite set of states, and the state start e S is a starting state. The 
set Si gives an input alphabet, and the set So gives an output alphabet. The 
letter input G Si gives the initial input letter. The function I : S — ^ Si x So 
maps each state to a pair of input and output letters. The transition function 
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t : S x Si — >• S gives the transitions for each state and each input letter. Let 
III be a set of input variables, and let LTo be a set of output variables. We are 
interested in transition systems in which the input alphabet is Si = 2 n ' , and 
the output alphabet is So — 2 n ° ■ 

We say that a transition system is input preserving if the labels accurately 
record the previous input. More formally, a transition system is input preserv- 
ing if for every state s G S, and every input letter 07, we have 1{t(s, 07)) = 
(a 1, <7o) for some output letter go G Si. Moreover, we must have that /(start) = 
(input, <to) for some letter uo G So- 

A sequence of states 7T = s\, s%, S3, . . . is an infinite path in the transition 
system if si = start, and if for each i there is a letter 01 such that r(si,ai) = Sj+i. 
For each infinite path tt, we define a word <j(tt) = I(si),l(s2),l(s3), ■ ■ ■ , which 
gives the labels of the states seen along tt. 

Suppose that is a CTL formula that uses 77/ as a set input propositions, 
and 77o as a set of output propositions. Let T = (S, 2 n ' , 2 n ° , r, i, start, input) 
be an abstract transition system that uses sets of these propositions as input 
and output alphabets. Furthermore, let (T, I) be the infinite tree corresponding 
to the set of words u(tt), over all infinite paths tt. We say that T is a model of 
4> if T, / |=0. Given a CTL formula and an abstract transition system 7", the 
CTL model checking problem is to decide whether T is a model of 0. 

Theorem 1 ( [9] ) . Given an abstract transition system T and an CTL-formula 
<p, the CTL model checking problem can be solved in space polynomial in \(f>\ ■ 

login 

Given a CTL formula tfi, the CTL synthesis problem is to decide whether 
there exists an abstract transition system that is a model of cf>. This problem is 
known to be EXPTIME-complete. 

Theorem 2 ([7]). The CTL synthesis problem is EXPTIME-complete. 
2.3 Tree Automata 

Universal Co-Biichi tree automata will play a fundamental role in the proofs 
given in subsequent sections, because we will translate each CTL formula <f> into 
a universal Co-Biichi tree automaton U{4>). The automaton will accept transition 
systems, and the language of the tree automaton will be exactly the set of models 
accepted by <f>. We will then use these automata to obtain our main results. 

A universal Co-Biichi tree automaton is A — (S, Si, So, start, 6, F, input), 
where S denotes a finite set of states, Si is a finite input alphabet, So is a finite 
output alphabet, start G S is an initial state, S is a transition function, F C S 
is a set of final states, and input G S t is an initial input letter. The transition 
function 5 : S x (Si x S ) — > 2 SxSl maps a state and an output letter to a set 
of pairs, where each pair consists of a successor states and an input letter. 

The automaton runs on abstract transition systems that use Si and So 
as their input and output alphabets. The acceptance mechanism is defined 
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in terms of run graphs. A run graph of a universal Co-Biichi tree automa- 
ton A = (<SU, Si, So, start.4, Sa, Fa, input) on an abstract Transition system 
T = (S-r, Si, So, t, It, start 7-, input) is denned to be a minimal directed graph 
G = (V, E) that satisfies the following constraints: 

— The vertices of G satisfy V C Sa x St- 

— The pair of initial states (starts, start 7-) is contained in V. 

— Suppose that for a vertex (q,t) e V, we have that (q',ai) S S(q,lr(t))- An 
edge from (q,t) to (q' ,r(t,ai)) must be contained in E. 

A run graph is accepting if every infinite path v\, V2, V3, ■ ■ ■ G V u contains only 
finitely many states in F. A transition system T is accepted by A if it has an 
accepting run graph. The set of transition systems accepted by A is called its 
language C(A). The automaton is empty if, and only if, its language is empty. 

A universal Co-Biichi tree automaton is called a safety tree automaton if 
F = 0. Therefore, for safety automata, we have that every run graph is accepting, 
and we drop the F = from the tuple defining the automaton. A universal Co- 
Biichi tree automaton is deterministic if \S(s, (<7j, co))| = 1, for all states s, 
input letters 07, and output letters Go- 

2.4 Online Turing Machines 

In this paper, we use online Turing machines as a formalisation of a reasonable 
implementation. An online Turing machine has three tapes: an infinite input 
tape, an infinite output tape, and a storage tape of bounded size. The input 
tape is read only, and the output tape is write only. Each time that a symbol is 
read from the input tape, the machine may spend time performing computation 
on the storage tape, before eventually writing a symbol to the output tape. A 
formal definition of this model can be found in Appendix A. 

We can now define the synthesis problem for online Turing machines. Let <j> 
be a CTL formula defined using 77/ and 77o, as the sets of input, and output, 
propositions, respectively. We consider online Turing machines that use as 
the input tape alphabet, and 2 n ° as the output alphabet. Online Turing ma- 
chines are required, after receiving an input symbol, to produce an output before 
the next input symbol can be read. Therefore, if we consider the set of all possi- 
ble input words that could be placed on the input tape, then the set of possible 
outputs made by the online Turing machine forms a tree. If this tree is a model 
of (j>, then we say that the online Turing machine is a model of <j>. 

Given a CTL formula cj>, we say that an online Turing machine is a small 
model of <p if the machine can be described in space that is polynomial in <j>. 
Note that a small model may still have a polynomially sized work tape, and 
therefore it may take an exponential number of steps to produce an output for 
a given input. We say that an online Turing machine is a fast model of <j> if, for 
all inputs, it always takes a polynomial number of steps to produce an output. 
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3 Small Models Imply PSPACE = EXPTIME 



Let <f> be a CTL formula that has an input preserving model. In this section we 
show that, if there is always a small online Turing machine that models <fi, then 
PSPACE = EXPTIME. Our approach to showing this result will be to guess 
a polynomially sized Turing machine M, and then to use model checking to 
verify whether M is a model of <f). Since our assumption guarantees that we only 
need to guess polynomially sized online Turing machines, this gives a NPSPACE 
= PSPACE algorithm for solving the CTL synthesis problem. Our proof then 
follows from the fact that CTL synthesis is EXPTIME-complete. 

To begin, we show how model checking can be applied to an online Turing 
machine. To do this, we unravel the machine to an abstract transition system. 

Lemma 3. Given an online Turing machine A4, and a CTL formula <f>, there 
is an abstract transition system T(A4) such that M. is a model of <fi if and only 
ifT(M) is a model of (f>. 

Obviously, the size of T(M) will be exponential in the size of M. However, 
this is not a problem because there exists a deterministic Turing machine that 
outputs T(A4), while using only 0(|tW|) space. 

Lemma 4. There is a deterministic Turing machine that outputs T(M), while 
using 0(\M |) space. 

Since the model checking procedure given in Theorem 1 uses poly-logarithmic 
space, when it is applied to T(A4), it will space polynomial in \M\. Now, using 
standard techniques to compose space bounded Turing machines (see [10, Propo- 
sition 8.2], for example), we can compose the deterministic Turing machine given 
by Lemma 4 with the model checking procedure given in Theorem 1 to produce 
a deterministic Turing machine that uses polynomial space in Hence, we 
have shown that each online Turing machine A4 can be model checked against 
4> in space polynomial in |A4|. This implies the following theorem. 

Theorem 5. Let (f) be a satisfiable CTL formula. If there always exists an online 
Turing machine M that models <p, where \M\ is polynomial in <p, then PSPACE 
= EXPTIME. 

4 PSPACE = EXPTIME Implies Small Models 

In this section we show the opposite direction of the result given in Section 3. 
We show that if PSPACE = EXPTIME, then for every CTL formula 4> that 
has an input preserving model, there exists a polynomially sized online Turing 
machine that is a model of <j>. We start our proof of this result with a translation 
from CTL to universal Co-Biichi tree automata. In [7] it was shown that every 
CTL 4> formula can be translated to an alternating Co-Biichi tree automaton 
whose language is the models of <p. It is relatively straightforward to translate 
this alternating tree automaton into a universal tree automaton. 
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One complication is that the input and output languages of the universal 
tree automaton are supersets of the propositions used to define <j). Let T = 
(S, Si, So,t, It, start, input) be an abstract transition system, where each 07 G 
Si contains some element a G 2 n ' with a C 07, and each <7o G £b contains 
some element a £ 2 no with a C u . We define T f (77/, 77o) to be the abstract 
transition system T' = (S, Si, So, t, If, start, input) where, if l-r(s) — ((T/,<to), 
then we define lr> (s) = (07 n , cr <~l 2 n ° ) for all s G 5. We have the following: 

Lemma 6. Let <j> be a CTL formula, which is defined over the set 2 n ' of input 
propositions, and the set 2 n ° of output propositions. We can construct a uni- 
versal Co-Biichi tree automaton U{4>) = (S, Si, So, start, S, F, input) such that: 

— There is a model T G C(U((f)) if and only ifT \ 2 n ° is a model of (p. 

— The size of the set S is polynomial in \<j>\. 

— Each letter in Si and So can be stored in space polynomial in \<f>\. 

— The transition function S can be computed in time polynomial in 

— The state start can be computed in polynomial time. 

The techniques used in [13] show how the automaton given by Lemma 6 can 
be translated into an equivalent deterministic safety tree automaton F{4>). We 
use a slight modification of this reduction to ensure that ^F((j>) accepts only the 
input preserving models of <p. The automaton has the following properties: 

Lemma 7 ([13]). Given the universal Co-Biichi tree automaton U{4>), whose 
state space is Su, we can construct a deterministic safety tree automaton T ((f)) = 
(S, Si, So, start, S, input) such that: 

— If C(U((f>)) contains an input preserving abstract transition system, then 
L(J-(4>)) is not empty. Moreover, if T is in C(T($j), then T is a model 
of<t>. 

— Each state in S can be stored in space polynomial in \Su\- 

— The transition function S can be computed in time polynomial in \Su\. 

— Each letter in Si and So can be stored in space polynomial in \Su\- 

— The state start can be computed in time polynomial in \Su\- 

We will use the safety automaton J-(4>) given by Lemma 7 to construct a 
polynomially sized model of <j>. This may seem counter intuitive, because the 
number of states in F(<j>) may be exponential in <j>. However, we do not need to 
build J r (</'). Instead our model will solve language emptiness problems for J r (^>). 

For each state s G S in J 7 (</>), we define J- S ((f) to be the automaton T{4>) 
with starting state s. The emptiness problem takes a CTL formula <j) and a state 
of IF (</)), and requires us to decide whether C(T s ((f>)) = 0. Note that the input 
has polynomial size in \<j>\. To solve this problem, we just construct F s (4>). Since 
F a (<fr) can have at most exponentially many states in \<f)\, and the language 
emptiness problem for safety automata can be solved in polynomial time, we 
have that our emptiness problem lies in EXPTIME. 

Lemma 8. For every CTL formula <f>, and every state s in T(4>) we can decide 
whether £(T s (<j))) = in exponential time. 
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Our key observation is that, under the assumption that PSPACE = EXP- 
TIME, Lemma 8 implies that there must exist an algorithm for the emptiness 
problem that uses polynomial space. We will use this fact to construct A4(<fi), 
which is a polynomially sized online Turing machine that models (j). 

Let 4> be a CTL formula that uses 77/ and 77o as the set of input and 
output propositions, and suppose that (f> has an input enabled model. Let F{4>) = 
(S, Si, So, start, S, F). The machine M-(<p) always maintains a current state s e 
S. Lemma 7 implies that this can be stored in polynomial space. The machine 
M(<f>) begins by setting the current state s = start. By Lemma 7 this can be 
done in polynomial time, and hence polynomial space. 

Every time that A4((f>) reads a new input letter oj e 2 n ' from the input tape, 
the following procedure is executed. The machine loops through each possible 
element of go £ So and checks whether there is a pair (s',CTj) s S(s, (ct",cto)) 
such that a'j C\2 n ' = oi (recall from Lemma 6 that each letter of Si contains 
an element of 2 n ' as a subset) and C(F 8 {<p)) ^ 0. When an output symbol go 
and state s' with this property are found, then the machine outputs go H 2 n ° , 
moves to the state s', and reads the next input letter. 

The fact that a suitable pair ao and s' always exists can be proved by a 
simple inductive argument, which starts with the fact that £(J rstart (<^)) ^ 0, and 
uses the fact that we always pick a successor that satisfies the non-emptiness 
check. Moreover, it can be seen that Ai(4>) is in fact simulating some abstract 
transition system T \ (77/,77o) where T £ £(J r (</))). Therefore, by Lemma 6, 
we have that M {<p) is a model of (f>. 

The important part of our proof is that, if PSPACE = EXPTIME, then this 
procedure can be performed in polynomial space. Since each letter in So can 
be stored in polynomial space, we can iterate through all letters in So while 
using only polynomial space. By Lemma 8, the check C(F S (</>)) ^ can be 
performed in exponential time, and hence, using our assumption that PSPACE 
= EXPTIME, there must exist a polynomial space algorithm that performs 
this check. Therefore, we have constructed an online Turing machine that uses 
polynomial space and models (j). We have proved the following theorem. 

Theorem 9. Let (f> be a CTL formula that has an input preserving model. If 
PSPACE = EXPTIME then there is an online Turing machine M that models 
<p, where \M\ is polynomial in <p. 

Theorem 9 is not constructive. However, if a polynomially sized online Turing 
machine that models <j> exists, then we can, always find it in PSPACE by guessing 
the machine, and then model checking it. 

5 Small And Fast Models Imply EXPTIME C P/poly 

In this section we show that, if all satisfiable CTL formulas have a polynomially 
sized model that responds to all inputs within polynomial time, then EXPTIME 
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C P/poly. This first step is to show the following property. Let Ab be an univer- 
sal 1 alternating Turing machine, whose storage tape is of length b. It is possible 
to construct a CTL formula <fib such that encodes the following specification: (1) 
the first input given by the environment encodes the initial tape configuration 
of Ab, and (2) given this initial tape configuration, the first output given the 
system must correctly decide whether Ab halts. 

Lemma 10. There is a family of satisfiable CTL formulas (f>b, where all models 
of 4>b are required, in their first output, to solve the halting problem for At ■ 

We now show how to construct a polynomial time Turing machine, with a 
polynomially bounded advice function, that solves the halting problem for an 
alternating Turing machine with polynomial space. Specifically, we will solve 
the halting problem for the alternating Turing machine A, which is Ab where 
the tape is unbounded. We begin by constructing the advice function /. This 
function maps natural numbers to advice strings, and our algorithm is permitted 
to use the advice string /(&), where b is the length of our input. In our case, the 
length of each input is the length of the initial tape of A. 

If all CTL formulas have a polynomially sized model that responds to all 
inputs in polynomial time, then Lemma 10 implies that, for each b, there ex- 
ists an polynomial size online Turing machine, which responds to all inputs in 
polynomial time, and which solves the halting problem for Ab in its first output. 
Thus, we can construct an advice function /, such that f(b) gives the online 
Turing machine that solves the halting problem for Ab- Our assumptions imply 
that every advice string has polynomial length in Ab- 

Given the advice function /, we give a polynomial time algorithm for solving 
the halting problem for A. For each input, we find b, which is the length of the 
storage tape of A, and we obtain the online Turing machine f(b). We then give 
A as the input to f(b), and simulate f(b) until it produces its first output. We 
then output the answer given by f(b). By our assumptions, this can take at most 
polynomial time. Thus, we have shown that the halting problem for A lies in 
P/poly. Since this problem is complete for APSPACE, and since APSPACE = 
EXPTIME, we have shown the following theorem. 

Theorem 11. // every satisfiable CTL formula <p has a polynomial size model 
that responds to all inputs after a polynomial amount of time, then EXPTIME 
C P/poly. 

6 EXPTIME C P/poly Implies Small And Fast Models 

Let be a CTL formula that has an input preserving model. In this section 
we show that if EXPTIME C P/poly, then there always exists an polynomially 
sized online Turing machine that is a model of 0, and that responds to every 
input within a polynomial number of steps. 

1 here, the word "universal" means an alternating Turing machine that is capable of 
simulating all alternating Turing machines. 



9 



The proof of this result closely follows the proof given in Section 4. In 
Lemma 8 we showed that the emptiness problem can be solved in exponen- 
tial time. In this proof, we will use a slightly harder problem. The inputs to our 
problem will be a CTL formula <fi, a state s and input letter 07 G 2 n ' of -F(</>), 
an integer n, and a bit string w of length n. Given these inputs, the successor 
emptiness problem is to determine whether there is a letter ao £ such that 
the first n bits of ao are w, and ao satisfies the following properties: there ex- 
ists (s',o-j) 6 5{s, (a'j,a )) such that a\ n 77/ = 07 and £(7" s ' (<£)) 7^ 0. Once 
again, Lemma 7 implies that the input size of this problem is polynomial in \(f>\. 
Moreover, the problem can be solved in exponential time by cycling through all 
possible letters in So and applying the exponential time algorithm of Lemma 8. 

If the CTL formula <f> is fixed, then Lemma 7 implies that all other input pa- 
rameters have bounded size. For a fixed formula cj>, let (0, s, 07, n, w) be the input 
of the successor emptiness problem that requires the longest representation. We 
pad the representation of all other inputs so that they have the same length 
as ((j), s,ai,n,w). Note that our algorithm for solving the successor emptiness 
problem still runs in exponential time, even if the inputs are padded. 

Now, we can use our assumption of EXPTIME C P /poly to obtain a poly- 
nomial time Turing machine with advice function / that solves the emptiness 
problem. Our padding ensures that we have that we have, for each CTL formula 
</>, a unique advice string in / that can be used to solve the successor empti- 
ness problem. Therefore, by appending this advice string to the storage tape of 
the machine, we construct a polynomial time Turing machine that solves the 
successor emptiness problem. Hence, we have shown the following lemma. 

Lemma 12. If EXPTIME C P/poly then, for each CTL formula 4>, there is a 
polynomial time Turing machine that solves the successor emptiness problem. 

The construct of the online Turing machine that models (j> is then the same 
as the one that was provided in Section 4, except we use the polynomial time 
Turing machine from Lemma 12 to solve the successor emptiness problem in each 
step. More precisely, we use binary search to find the output letter ao in each 
step. Since the size of ao is polynomial in \<j>\, this can obviously be achieved in 
polynomial time. Moreover, our online Turing machine still obviously uses only 
polynomial space. Thus, we have the main result of this section. 

Theorem 13. Let <j> be a CTL formula that has an input preserving model. If 
EXPTIME C P/poly then there is a polynomially sized online Turing machine 
M that models <j) that responds to every input after a polynomial number of steps. 

7 LTL and Automata 

In this section, we prove similar results for LTL. For LTL, our claims go through 
the intermediate automata that are usually used in LTL model checking and 
synthesis. That is, we turn a given specification <f> into a Biichi word automaton 
for -up. This automaton is a simply a universal Co-Biichi automaton. 
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Theorem 14. [8] Given an LTL formula <j>, we can construct a universal Co- 
Biichi automaton U$ with 2°^^ states that accepts a transition system T if, 
and only if, T satisfies <p. 

As LTL is a trace language, this automaton is essentially a word automaton 
(the dual of the Biichi automaton that recognises the paths that do not satisfy 
4>) : the states send into each direction are the same, and the transition function 
is therefore polynomial in the states of the automaton. As the arguments in 
Sections 4 and 6 go through a polynomial time reduction from CTL to universal 
Co-Biichi automata (Lemma 7), we can reuse the arguments from these sections, 
bearing in mind that model checking if an online Turing machine M. is accepted 
by U can be done in in 0((log \U\ +log \T{M)\) 2 ), using the reduction from [15] 
Theorem 3.2 (note that the language of U is the complement of the language of 
the same automaton read as a nondeterministic reachability automaton, where 
blocking translates to immediate acceptance and vice versa) to the emptiness 
problem of nondeterministic Biichi word automata [14]. 

Theorem 15. Let U be a universal Co-Biichi automaton that accepts an input 
preserving transition system. 

1. If F 'SPACE = EXPTIME then there is an online Turing machine M in the 
language ofU, where \M\ is polynomial in the states and a representation 
of the transition function ofU. 

2. If EXPTIME C P/poly then there is a polynomially sized online Turing 
machine M that is accepted by U, which responds to every input after a 
polynomial number of steps. 

For the other direction, we use universal safety word automata to show that 
the result holds for all languages in the middle. For these automata, we retrace 
the reduction from universal alternating Turing machines: we again interpret 
the first environment input as the initial configuration of a this Turing machine 
and henceforth use the environment to resolve the nondeterminism, the only 
difference is that our target language now is a universal safety word automaton 
rather than a CTL formula. The translations are moved to an appendix. 

Theorem 16. LetU be a universal safety word automaton that accepts all traces 
of an input preserving transition system. 

1. If there is always an online Turing machine A4 in the language ofU, where 
\M\ is polynomial in the states ofU, then PSPACE=EXPTIME. 

2. If there is always an online Turing machine M. in the language ofU, where 
\A4\ is polynomial in the states ofU that responds to every input after poly- 
nomially many steps, then EXPTIME C P/poly. 

It may look surprising that we use the intermediate automata instead of the 
logic. The reason for this is that it provides inroads for other logics. In fact, it 
would now be simple to prove similar results for the modal /x-calculus and its 
alternation free fragment, or to start with ACTL* instead of starting with LTL. 
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8 Conclusions 



In our first set of proofs, we have linked the existence of small models with 
the equivalence of PSPACE and EXPTIME. In our second set of proofs we 
have linked the existence of small and fast models to the question of whether 
EXPTIME C P/poly. 

There are two ways to interpret these results. A pessimistic viewpoint is 
that it is extremely unlikely that EXPTIME = PSPACE or that EXPTIME 
C P/poly. Our results therefore indicate that it is also unlikely that all CTL 
formulas have either small, or small and fast, models. On the other hand, an 
optimistic viewpoint is that finding a proof of PSAPCE ^ EXPTIME, or a 
proof of EXPTIME % P/poly, is considered to difficult. Under this point of 
view, our results indicate that it must also be very difficult to find a family of 
CTL formulas that provably do not have small, or small and fast, models. 
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A Online Turing Machines 



In this section we formally define an online Turing machine. This takes two steps: 
we first define Turing machines with input and output, and we then introduce 
additional restrictions to ensure that each input is followed by exactly one out- 
put. Once this has been done, we will formally define the synthesis problem for 
Online Turing machines. 



A.l Space Bounded Turing Machines with Input and Output 

A deterministic space bounded Turing machine with input and output is a three- 
tape Turing machine defined by a tuple (S, Si, St, So, 5, start, c, init, input). The 
set S is a finite set of states, and the state start G S is a starting state. The sets 
Sj, St, and So give the alphabet symbols for the input, storage, and output 
tapes. We require that there is a blank symbol U, such that U is contained in 
Si, St, and So- The function <5 is a transition function which maps elements 
of S x Si x St x So to elements of S x (Si x D) x (St x D) x (So x D), where 
D = {<—, — ,— t-} is the set of directions. The number c G N gives the space bound 
for the machine, and the sequence init G (St) c gives the initial contents of the 
storage tape, and the letter input gives the initial input symbol. We define the 
size \M.\ of a space bounded Turing machine M to be amount of space used by 
the tuple (S, Si, S T , So, 5, start, c, init). 

The machine has three tapes I — T = T\,Ti, . . .T c , and O = 

Oi, O2, ■ ■ ■ , which we call the input, storage, and output tapes, respectively. Note 
that, while the input and output tapes are infinite, the storage tape contains 
exactly c positions. For all i G N we have Ii G Si, and Oi 6 So- For all i in 
the range 1 < i < c we have that T t G St- The tapes are initialized as follows: 
the input tape / contains an infinitely long input word, where the first letter 
Ji = input. The output tape O contains an infinite sequences of blank symbols, 
and the storage tape T contains the initial storage word init. 

A position gives the current state of the machine, along with the position of 
the three tape heads. Formally, a position is a tuple of the form (s, i,j, k), where 
s € S, !,i e N, and j is in the range 1 < j < c. For each ieN, and direction 
d G D, we define: 



Next (i,d) = < 



i - 1 
i + l 

i 



if d-- 
if d =->, 
otherwise. 



and j > 0, 



We also define: 



Next c (i,d) = < 



i — 1 if d =<— and j > 0, 
i + l if d =—¥ and j < c, 
i otherwise. 



The machine begins in the position (start, 0, 0, 0). We now describe one step 
of the machine. Suppose that the machine is in position (s,i,j,k), and that 
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5(s,Ii,Tj,0k) = (s',(o-i,di),(o-T,d2),(ao,d3)). First the symbols 07, a T , and 
go arc written to U, Tj, and O^, respectively. Then, the machine moves to the 
position (s 1 , Next(i, di), Next c (j, cfo), Next (A;, ^3)), and the process repeats. 

A. 2 Online Turing Machines 

An online. Turing machine is a Turing machine with input and output that 
has additional restrictions on the transition function 5. We wish to ensure the 
following property: the machine may only read the symbol at position i on the 
input tape after it has written a symbol to position i — 1 on the output tape. 
Moreover, once a symbol has been written to the output tape, we require that 
it can never be changed. Thus, the machine must determine the first i symbols 
of the output before the i + 1th symbol of the input can be read. 

To this end, we partition the set S into the set Si of input states, and the 
set So of output states, and we require that start G So- While the machine is 
in an output state, it is prohibited from moving the input tape head, or from 
moving the output tape head left. Furthermore, the machine moves from an 
output state to an input state only when a symbol is written to the output tape. 
Similarly, when the machine is in an input state it is prohibited from moving the 
output tape head, and the machine only moves from an input state to an output 
state when the input tape head is moved right. Finally, the input tape is read- 
only. This means that in every state, the machine is prohibited from overwriting 
the symbols on the input tape. 

Formally, let (s,i,j,k) be a position, and suppose that S(s, Ii,Tj,Ok) = 
(s', (a 1, di), (<7t, (fe), ((To, ^3))- If s £ Si, then we require: 

— The direction d\ is either — or — >, and the direction d% is — . 

— The symbol 07 = 7j, and the symbol o~o — Ok- 

— If d\ = — then we require that s' G Si, and if d\ =— > then s' G So- 

Similarly, if s G So, then we require: 

— The direction d\ is — , and the direction d% is either — or — >. 

— The symbol g\ — h, and if d% = — then 03 = Ok- 

— If d 3 = — then s' G So, and if cfo =— > then s' G Si. 

A. 3 The Synthesis Problem 

We are interested in online Turing machines with input alphabet Si = 2 n ' and 
output alphabet So = 2 n ° , where 77/ is a set of input variables, and 77o is a 
set of output variables. The sets 77/ and 77o are required to be disjoint. We will 
use as the blank symbol for the input and output tapes. 

Let Ai be an online Turing machine. For each input word a that can be 
placed on the input tape, the machine produces an output word on the output 
tape. This output word is either an infinite sequence of outputs made by the 
machine, or a finite sequence of outputs, followed by an infinite sequence of 
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blanks. The second case arises when the machine runs forever while producing 
only a finite number of outputs. 

We define M. (a) to be the combination of the inputs given to the machine 
on the input variables, and the outputs made by the machine on the output 
variables. Formally, let I = . . . , and O = Oq, 0\, . . . be the contents of 

the input and output tapes after the machine has been allowed to run for an 
infinite number of steps on the input word a. We define M.(a) — ctq, o~\, ... , 
where crj =7jUOj. 

Let (f> be an LTL formula that uses 77/ U77o as the set of atomic propositions. 
We say that an online Turing machine A4 is a model of <f> if M.(a) |= <f> for all 
input words a. We say that <f> is realizable if there exists an online Turing machine 
Ai that satisfies (j>. The LTL synthesis problem for the formula <fi is to decide 
whether 4> is realizable. 

On the other hand, let <j> be a CTL formula that uses 77/ U 77o as the set of 
atomic propositions. Note that, since an online Turing machine cannot read the 
ith input letter until it has produced i — 1 outputs, if a and a' are two input words 
that agree on the first i letters, then M.(a) and Ai(a') must agree on the first 
i letters. Note also that, since the initial input letter is fixed, all of these words 
must agree on the first letter. Hence, the set of words {M(cr) : a 6 (Si) u } 
must form an infinite directed labelled tree (T,l). We say that M is a model of 
<j>x£T,l\=<j>. 

B Proof of Lemma 6 

To prove this Lemma, we first invoke the result of [7] to argue that CTL for- 
mulas can be translated to alternating Co-Buchi tree automata, and then argue 
that these automata can be translated into universal Co-Buchi tree automata. 
Therefore, we proceed by first giving definitions for alternating tree automata, 
and then providing a proof for Lemma 6. 

B.l Alternating Tree Automata 

We now define alternating Co-Buchi tree automata. An alternating Co-Biichi 
tree automaton is a tuple A — (S, Sj, So, start, S, F, input), where S denotes a 
finite set of states, Si is a finite input alphabet, So is a finite output alphabet, 
start e S is an initial state, S is a transition function, F C S is a set of final states, 
and input is an initial input letter. The transition function S : S x (Si x So) — > 
M + (S x Si) maps a state and an output letter to a boolean formula that is built 
from elements of S x Si, conjunction A, disjunction V, true, and false. Universal 
Co-Biichi tree automata correspond to alternating Co-Biichi tree automata in 
which all formulas given by S are conjunctions. 

The automaton runs on abstract transition systems that use Si and So 
as their input and output alphabets. The acceptance mechanism is defined in 
terms of run graphs. A run graph of an alternating Co-Biichi tree automaton 
A = (S_a, Si, So, starts, Sa, Fa, input) on an abstract Transition system T = 
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(Sf, £i, £o,t, It, starts, input r , input) is defined to be a minimal directed graph 
G = (V, E) that satisfies the following constraints: 

— The vertices of G satisfy V C Sa x St- 

— The pair of initial states (starts, start t) is contained in V. 

— For each vertex (q, t) G V, the set 

{(q',cri) eSxSi | ((<?,*), (g',r(t,a/))) G i?} 

is a satisfying assignment of 6(q,lT(t)). 

A run graph is accepting if every infinite path vi, V2, V3, ■ ■ ■ G V" contains only 
finitely many final states. A transition system T is accepted by A if it has an 
accepting run graph. The set of transition systems accepted by an automaton A 
is called its language C(A). An automaton is empty if, and only if, its language 
is empty. 

The acceptance of a transition system can also be viewed as the outcome of 
a game, where player accept chooses, for a pair (q, t) G Sa x St, a set of atoms 
that satisfies S(q, W(t))- Player reject then chooses one of these atoms, and then 
moves to the corresponding state. The transition system is accepted if, and only 
if, player accept has a strategy that ensures that all paths visit F a finite number 
of times. 

B.2 Translating CTL to Universal Co-Biichi tree automata 

The reason we are interested in alternating Co-Biichi tree automata is that there 
exists a translation from CTL formulas to alternating Co-Biichi tree automata. 

Lemma 17. [7] For every CTL formula (f> there is an alternating Co-Biichi tree 
automaton A = (5, Sj, ao, start, 6, F, input) such that: 

— C(A) is the set of abstract transition systems that model <fr. 

— We have that \S\ and \S\ have size polynomial in \(j>\. 

— Each letter in Si and So can be stored in space polynomial in \<j)\. 

— The starting state can be computed in polynomial time. 

We now show that A — (5, Sj, So, start, Sa, F, input), which is the alter- 
nating Co-Biichi tree automaton given by Lemma 17, can be translated into a 
universal Co-Biichi automaton U = (5, Si, S' Q , start, Su, F, input). 

Let T G C(A) be an abstract transition system that is accepted by A, and 
let G = (V,E) be the run graph of T on A. Note that, by the definition of a 
run graphs, for each state (q, t) G V we use exactly one satisfying assignment to 
generate the outgoing edges from (q, t). The idea behind this proof is to use the 
output symbols of T to store this satisfying assignment. 

Formally, we define the extended alphabet S' := S U (S -> 2 SxSl ). Each 
output letter of the abstract transition system contains an actual output letter 



1G 



(To G So, along with 151 lists of satisfying assignments. Since S has size poly- 
nomial in <fr, and each element of Si has size in 0(\<fr\), each element of S' Q can 
be stored in space polynomial in 0(|</>|). 

Let q G S be a state of A, let (07,00) G •£/ x Zo be a pair of input and 
output letters, and let 7 : S — > 2 Sxi;/ ). If 7(g) is a satisfying assignment of 
S(q, (<t/,(To))> then we add the transition <5^(<7, (07, (°"o>7))) = 7( s )- Although 
the function may be exponential, we can compute, for a given q, (07, cto), and 
7, whether Su(q, (o"o,7)) is a transition in polynomial time. This is because 5 
has polynomial size in \<fr\, and checking whether -y(s) is a satisfying assignment 
can easily be done in polynomial time. 

Note that, for each abstract transition system T G C{U), we can use labels 
of each state to argue that there must be a corresponding run graph of T \ 2 n 
on A. On the other hand, if T has a run graph on A, then we can easily use the 
satisfying assignments used in this run graph to construct an abstract transition 
system V G C{U) with V \ 2 n = T. Therefore, we have that there exists a 
T G C{A) if and only if T f 2 71 is a model of 0. This completes the proof of 
Lemma 6. 



C Proof of Lemma 7 

From [13] we have the following lemma. 

Lemma 18 ([13]). Given the universal Co-Biichi tree automaton U ((f)) , we can 
construct a deterministic safety tree automaton F(4>) = (S, Si, So, start, S) such 
that: 

— We have C{U{4>)) = C{F{<j))). 

— Each state in S can be stored in space polynomial in \<f>\. 

— The transition function 5 can be computed in time polynomial in \<j>\. 

— Each letter in Sj and S Q can be stored in space polynomial in \<j>\. 

— The state start can be computed in polynomial time. 

The only remaining step is to ensure that £(J r (</>)) contains only input pre- 
serving models. To do this, we construct a second deterministic safety tree au- 
tomaton F'{4>) — (S", Si, S , start', 5', input). The set of states S' — Si x S, 
and the starting state start' = (input, start). Let (07, s) G S' be a state, and let 
(a'j,a' ) be a pair of input and output letters. We define: 



5'((<7 7 ,5),K,<7 )) 



ifai^o-'j, 
{(ai,s),ai) : (s,ctj) G S((ai,s),(aj,a' )) otherwise. 



This construction simply eliminates all transitions of F(4>) that are not input 
preserving, and appends the letter 07 to the state for all transitions that are 
input preserving. Thus, if L(F) contains an input preserving abstract transition 
system T, then T G £(7 r '(0)). This completes the proof of Lemma 7. 
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D Proof of Lemma 3 



Proof. Suppose that M. = (S, Si, St, ^o,^ start, c, init, input), and let (Si, So) 
be the partition of S into the input and output states. We will assume that 
Sj = 2 n ' , and that So = , f° r some sets 77/ and 77o of input and output 
propositions. 

We define T(M.) = (Sf, Si, So, tj-, It, start 7-, input) as follows. The state 
space is defined to be the union of three sets. Firstly we have the normal states 
Sn — S x Si x N< c x So x (St) c , , where N< c = 1,2, ... ,c which represent the 
computational states that the Turing machine can be in. We also have a special 
failure state fail, which will be used to indicate that the Turing machine runs 
forever without writing an output symbol. Finally, for each state a G Sn we 
have a special failure state fail a , which will be used in the case where the Turing 
machine reads an input, writes an output, and then runs forever without reading 
another input symbol. The state fail a will be used to hold the final output of the 
machine, before we move to fail. Therefore, we define Sj- — Sn U fail U {fail a : 
a G S N }. 

All states a G Sn are tuples of the form (s,ai,j,ao,T — (Ti,T 2 , . . . ,T C )), 
where s is a state of the Turing machine, j is the current position of the storage 
tape head, 07 is the symbol at the head of the input tape, o~o is the last symbol 
written to the output tape, and T is the current state of the storage tape. Since 
we know that I\ = input and 0\ — in the initial state of the machine, the start- 
ing state of the abstract transition system will be start 7- = (start, input, 1, 0, init). 

We now define 77-. Let a = (s,ai,j,ao,T = (7\, T 2 , . . . , T c )) be a normal 
state. Note that the definition of an online Turing machine ensures that there is 
always a blank symbol at the head of the output tape. Therefore, suppose that: 

5(s, 01, Tj, 0) = (s', (o^di), (a' T , da), (a' Q , d 3 )). 

If a state a has d\ =— then we say that a is an input state, and if a has 0I3 =— >•, 
then we say that a is an output state. The transition function tj- will only define 
transitions for input states and for start 7-, as these will be the only states that 
are reachable from the starting state of the transition system. For all other states 
s we define t-t(s, 07) = fail for all input letters 07 G Si. 

Before we define t-j-, we first define a helper function Succ. This function will 
allow us to find the transitions between input states. Let a = (s,ai,j,ao,T = 
(Ti, T 2 , . . . , T c )) be a normal state, and let T" be the tape T with the jth symbol 
replaced with a' T . If = — then we define Succ(a) to be 

a' = (s',o-i,Next(j,d 2 ),o- ,T'). 

On the other hand, if and d 3 =— > then we define Succ(a) to be 

a' = (s',ai,Ncxt(j,d 2 ),a , ,T'). 

Note that this definition correctly remembers the last symbol that was written 
to the output tape. 
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For each input state a — (s,ai,j,ao,T = (Ti, T2, . . . , T c )) and each input 
letter 07, let a' be Succ(a), where the input letter is replaced by Si. We define 
7r(a,(T/) be the path that starts at a' and follows Succ(a) until another input 
state is reached. Note that this path may be infinite if the Turing machine runs 
forever without requesting an input. If 7r(a, 07) ends at a state a" , then we define 
i"(a, 07) = a". On the other hand, if -n(a,ai) is an infinite path, then we have 
two cases to consider. If ir(a,ai) never visits an output state, then we define 
Tj-(a,<Ti) — fail. On the other hand, if ir(a, 07) does visit an output state a", 
then we define Tj-(a,<Tj) = Succ(a"). This is because Succ(a") is the first state 
that correctly remembers the output made at a" . For each state a G Sn we define 
rr(fail a , 07) = fail, for all input letters 07 G Si- We also define Tj-(h\\,ai) = fail 
for all input letters 07 G Sj. 

Finally, we define the 1 7-. For each normal state a — (s, <Ji,j, ao,T) we define 
W{o) = (o7,<7o)- Note that this implies that the transition system is input 
preserving, because at an input state, the parameter cr/ must contain the input 
that corresponds to the last output. For each state fail a with a = (s,j, ao, T) we 
define ?7-(fail a ) = ao- Finally, we define ^(fail) = 0, which is the blank symbol 
for the output tape of an online Turing machine. 

To see that this reduction is correct, note that, in an online Turing machine, 
exactly one output is written to the output tape for each input that is read from 
the input tape. Therefore, for every state a, our transition function lf(a,ai) 
correctly moves to a state a' — (s,j, ao, T), where ao is the output given by the 
online Turing machine for the input 07. Moreover, if the Turing machine runs 
for an infinite number of steps while producing only a finite number of outputs, 
then T will correctly produce an infinite sequence of blank symbols, and it also 
correctly outputs the final output symbol. Therefore, we have that T(M) is a 
model of <f) if and only if M is a model of <fi. □ 

E Proof of Lemma 4 

Proof. Given the online Turing machine Ai = (S 1 , Si, St, So, S, start, c, in it), our 
task is to output T(M) — (St, Sj-, 77-, If, start j). Recall that each normal state 
s G Sn is a tuple of the form (s,j,ao,T). Obviously the parameters s, j, and 
ao, can be stored in 0(M.) space. Moreover, since the description of M. contains 
start, which is a tape of length c, the tape T can also be stored in 0(\M\) space. 
Since the state space of Sj- consists of Sn, fail, and fail a for each a e Sn, we 
have that each state of T(Ai) can be stored in 0(|.M|) space. 

Our algorithm for outputting T(M) is as follows. We begin by outputting 
start/-. Then we output the state fail along with the outgoing transitions from 
fail. We then cycle through each normal state s G Sn, and output s and fail s , 
along with lr(s) and l-r(fa\\ s ). We also output the outgoing transitions from fail s . 
All of these operations can obviously be done in 0(|7W |) space. 

Finally, we must argue, for each normal state s G Sn, that the outgoing 
transition from s can be computed in 0(|.M|) space. To compute r-j-(s,ai) for 
some input letter 07 G Sj, we iteratively follow the function Succ(s, 07) until 
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we find an input state. If, while iterating Succ(s, 07), we encounter an output 
state s', then we remember it. If we find an input state s', then we output 
tj-(s, (jj) = s' . On the other hand, we may never find an input state. Therefore, 
we also maintain a counter, which counts the number of times that Succ has 
been followed. If the counter reaches \Sn\, then we know that the online Turing 
machine must run forever without reading its next input. In this case, if an 
output state s' has been remembered, then we output tt(s, 07) = fails U cc(s', a-/)- 
Otherwise, we output tj-{s, (Ji) = fail. 

To implement this procedure, we must remember at most 3 states, one for s, 
one for the current state, and one for the output state that must be remembered. 
We must also maintain a counter that uses log(|Sjv|) bits, and \S N \ e 2°K 
Therefore, this procedure can be implemented in 0(jA4|) space. □ 

F Proof of Theorem 5 

Proof. We show that, under the assumption that there is always a model of size c, 
the CTL synthesis problem can be solved in polynomial space. Since Theorem 2 
implies that CTL synthesis is EXPTIME-complete, we will therefore prove that 
PSPACE = EXPTIME. 

The algorithm is as follows. We first non-deterministically guess an online 
Turing machine M. with with \M\ £ O(poly(|0|)). Then we model check against 
the input formula <fi, using the Turing machine given by Lemma 4 and the Tur- 
ing machine given by Theorem 1. Since the output of the first Turing machine 
has size 2°^ M ^, we have that the second Turing machine uses 0(|A1|) space. 
Using standard techniques to compose space bounded Turing machines (see [10, 
Proposition 8.2], for example), we obtain a Turing machine that solves the CTL 
synthesis problem in NPSPACE = PSPACE. □ 

G Proof of Lemma 8 

Proof. From the formula (p we can construct F s {4>) = (S, Si, So, S ,S, F) in 
exponential time by doing the following: first we loop through each possible state 
in 5* and output it. Since Lemma 7 guarantees that each state can be stored in 
space polynomial in <p, this procedure can take at most exponential time in (f>. 
Then, we loop through each member of S x So ■ Again, since Lemma 7 implies 
that each member of S x So can be written in polynomial space, and therefore 
this procedure takes at most exponential time. 

So far we have shown that the states and transitions of F s (</>) can be con- 
structed in exponential time, while using exponential space. We call a state 
s' E S rejecting if S(s',ao) — for all output letters 00 6 So- It is not difficult 
to see that C{F S {4>)) = if, and only if, all possible paths from s lead to a 
rejecting state. Thus, we can solve the emptiness problem by solving a simple 
reachability query on the automaton that we have constructed. Since reacha- 
bility can be solved in polynomial time, and the description of our automaton 
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uses exponential space, this reachability query can be answered in exponential 
time. □ 



H Proof of Lemma 10 

Proof. We first define the set of output propositions TJo that will be used by our 
CTL formula. Our intention is that each letter o~o G So — 2 U ° should encode 
a configuration of an alternating Turing machine with a storage tape of length 
b. This the storage tape itself can be represented using b' = b ■ log 2 \S T \ atomic 
propositions pi 7 -,p b >. We also use b atomic propositions t\, . . . , t b to encode the 
position of the tape head: the propositions £, is true if and only if the tape head 
is at position i of the tape. We use I — log 2 (|<2|) atomic propositions, where Q is 
the set of states in our Turing machine, to encode q, which is the current state 
in the configuration. We also use l + b' + log 2 \b\ atomic propositions to encode a 
counter c, which will count the number of steps that have been executed. Finally, 
and most importantly, we include one proposition h, and we will require that h 
accurately predicts whether the alternating Turing machine will eventually halt 
from the current configuration. We will use Uj — So- 

We now specify the CTL formula <jV The first input symbol will be inter- 
preted as the initial state of our alternating Turing machine A. Since our machine 
is an alternating machine, the transition function between configurations is not 
deterministic. Instead, in each step there is either a universal or nondeterministic 
choice that must be made. We will allow the environment to resolve these de- 
cisions. Since Sj contains enough letters to encode every possible configuration 
of A, there are obviously more than enough letters in Sj to perform this task. 
Once the nondeterminism or universality has been resolved, the formula requires 
the model to output the next configuration of the alternating Turing machine. 
In other words, the environment will pick a specific branch of the computation 
of A, and therefore all models of <p must be capable of producing all possible 
computation branches of A. It is not difficult to produce a CTL formula that 
encodes these requirements. 

However, we have one final requirement that must be enforced: that the 
proposition h correctly predicts whether the current configuration eventually 
halts. This can be achieved by adding the following requirements to our CTL 
formula. 

— If q is an accepting state, then h must be true. 

— If c has reached its maximum value, then h must be false. 

— If q is non-accepting and c has not reached its maximum value then: 

• If q is an existential state, then h <-> EXh. 

• If q is a universal state, then h «-> AXh. 

Therefore, we have constructed a CTL formula <j> such that, for every model 
of 4>, the first output from the model must solve the halting problem for a 6-space 
bounded alternating Turing machine. □ 
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I LTL and Automata 



1.1 LTL Formulas 

Given a finite set LT of atomic propositions, the syntax of an LTL formula is 
denned as follows: 

(j> ::= p | -><f> | <p V <j> | X<f> | (p U <j>, 

where p G LT. For each LTL formula, we define \(f>\ to give the size of the formula, 
which is the size of the parse tree for that formula. 

Let <t = Co, (Ti, . . . be an infinite word where each symbol <7j G II. For each 
i G N, we define the semantics of an LTL formula <p as follows: 

— a, i \= p if and only if p G Gi . 

— a, i \= ->(f) if and only if a, i ft= (p. 

— a, i \= <p V ip if and only if either a, i \— <fi or a, i \= ip. 

— a,i \= X(f> if and only if a, i + 1 |= <f>. 

— <r,i \= 4> U ip if and only if there exists n > i such that a, n \= ip and for all 
j in the range i < j < n we have a, j \= (f>. 

A word a is a model of an LTL formula <p if and only if <r, |= 0. If er is a model 
of <j>, then we write a \= <f>. 

Let be an LTL formula that uses 77/ U Ho as a set of atomic propositions. 
We say that the abstract transition system is a model of (f> if er(7r) |= for every 
infinite path it that begins at the starting state. Given an LTL formula <fi and 
an abstract transition system T, the LTL model checking problem is to decide 
whether T is a model of (p. 

Theorem 19 ([15]). Given an abstract transition system T and an LTL-formula 
<p, the ITL model checking problem can be solved in 0((log \T\ + \(f>\) 2 ) space. 

The LTL synthesis problem is defined in the same way as the CTL synthe- 
sis problem: given an LTL formula <p, we must decide whether there exists an 
abstract transition system that is a model of <p. 

Theorem 20 ([12]). The LTL synthesis problem is 2EXP TIME- complete. 

1.2 Proofs for Theorem 16 

Lemma 21. Let U be a realisable universal safety word automaton. If there 
always exists an online Turing machine M that realises U while taking only 
0(poly{\U\)) time between reading two input letters, then EXPTIME C P/poly. 

Proof. As in the proof of Lemma 10, we use a reduction from the halting problem 
of a universal space bounded alternating Turing machine. 

We first define the set of output propositions TIo that will be used by our 
universal Co-Biichi automaton. Our intention is again that each letter go G 
So — 2 n ° should encode a configuration of an alternating Turing machine 
with a storage tape of length b. This the storage tape itself can be represented 
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using b' = b ■ log 2 |-£t| atomic propositions p\, ■ ■ ■ . We also use b atomic 
propositions t\, . . . , tb to encode the position of the tape head: the propositions 
ti is true if and only if the tape head is at position i of the tape. We use 
I = log 2 (|Q|) atomic propositions, where Q is the set of states in our Turing 
machine, to encode q, which is the current state in the configuration. We also 
use I + b' + log 2 \b\ atomic propositions to encode a counter c, which will count 
the number of steps that have been executed. Finally, and most importantly, 
we include one proposition h, and we will require that h accurately predicts 
whether the alternating Turing machine will eventually halt from the current 
configuration. Different to the reduction from CTL, we also have to include a 
way to resolve existential choices in the model. We therefore also include atomic 
propositions that refer to the directions that serve as witnesses for the fact that h 
is true for existential states or false for universal states. We refer to this successor 
as the witness successor. 

We now specify the universal safety automaton U. Since A is an alternating 
Turing machine, the transition function between configurations is not determin- 
istic. Instead, in each step there is either a universal or an existential choice that 
must be made. We will allow the environment to resolve these decisions. Since 
Sj contains enough letters to encode every possible configuration of A, there 
are obviously more than enough letters in Sj to perform this task. 

To check the correctness of these transitions, the universal safety automaton 
would, for each transition, have a corresponding input letter. It would send, for 
each cell of the tape of A, for the finite control of A, and for the position the 
read/write head should be in after the transition, a state to all successors. This 
state would not only contain this first input symbol will be interpreted as the 
initial state of our alternating Turing machine A. While it sends the obligations 
to all successors, they are only interpreted on the single successor where the 
input read (and hence represented in the label) is a. (Reading a different input 
leads to immediate acceptance.) 

Once the existential and universal decisions of A have been resolved, the 
formula requires the model to output the next configuration of the alternating 
Turing machine. In other words, the environment will pick a specific branch of the 
computation of A, and therefore all transition systems in the language of U must 
be capable of producing all possible computation branches of A. It is not difficult 
to produce a universal safety automaton that encodes these requirements. 

However, we have one final requirement that must be enforced: that, in the 
first step of the computation, the proposition h correctly predicts whether the 
current configuration eventually halts. This can be achieved by adding the fol- 
lowing requirements to our universal safety automaton. 

— If q is an accepting state, then h must be true. 

— If q is non-accepting and c has reached its maximum value, then h must be 
false. 

— If q is non-accepting and c has not reached its maximum value then: 

• If q is an existential state and h is true, then h must be true for the 
witness successor. 
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• If q is an existential state and h is false, then h must be false for all 
successors. 

• If q is an existential state and h is true, then h must be true for all 
successors. 

• If q is an universal state and h is false, then h must be false for the 
witness successor. 

Therefore, we have constructed a universal safety word automaton U such 
that, for every model of U, the first output from the model must solve the halting 
problem for a &-space bounded alternating Turing machine. □ 

Theorem 22. Let U be a realisable universal safety word automaton. If there 
always exists an online Turing machine M., with \M\ £ 0(poly(\U\)), that is 
accepted by U, then PSPACE = EXPTIME. 

Proof. A proof that the synthesis problem for these automata is EXPTIME 
complete is contained in the proof of the previous lemma. 

Model checking if M is accepted by U can be done in space 
log \T{M) |) 2 ) , using the reduction from [15] Theorem 3.2 (note that the lan- 
guage of U is the complement of the language of the same automaton read as 
a nondeterministic reachability automaton, where blocking translates to imme- 
diate acceptance and vice versa) to the emptiness problem of nondeterministic 
Biichi word automata [14]. □ 
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